What do well-balanced information security professionals look like, and why should the government be hiring them?

With the release of the National Initiative for Cybersecurity Education (NICE) Framework and much talk about the cyber human capital crisis, one question that keeps coming up is “what type of information security professional should agencies be hiring?”

The debate started in 2010, with several high-profile stakeholders emphatically promoting the need for “warriors/hunters”, while others (this blog author included) cautioned that the need for well-balanced professionals exists as well.

In a recent GovExec webinar, a member of the audience posed the same question to the panelists, and I was pleasantly surprised by the responses of my fellow cyber workforce experts. It appears that opinions have evolved since the original debate began.

There is a need to clarify for the sake of those who don’t know what is meant when an information security professional is referred to as a “warrior” a.k.a. “hunter”.

Those referred to as “warriors” include people trying to discover breaches, those skilled in forensics that can effectively determine the extent of a network penetration and mitigate the origin of the threat. These individuals are typically found in an isolated environment, affixed on the unseen world of network crime.

There is no arguing that the ability to address all forms of breaches quickly and effectively is an essential aspect of any cyber security plan and that the specialist who is skilled at identifying and mitigating a breach is an important member of an agency’s cyber security team.

However, I hold the opinion that while you cannot do without the warriors, you must invest your recruiting efforts and often limited resources in trained professionals who are well versed in specialty areas but who also offer a much broader set of skills.

The most valuable information security professional is the one who can develop and implement a sound security plan, understands risk management, demonstrates solid communications skills, has the ability to earn and sustain credibility with senior leaders, and who knows enough about specialty areas that they can apply effective solutions.

I often liken it to choosing a doctor. You want someone who is knowledgeable in all aspects of ensuring your overall health, including such things as nutrition, vision and heart health. While a good general practitioner should immediately be able to detect abnormalities like symptoms of a brain tumor, for instance, they would not be expected to perform brain surgery. Rather, they should know how to identify and engage an expert that can address this specialty area.

I believe the heart of the debate lies in how an agency prioritizes the need to mitigate a breach versus the need to prevent a breach.

To me, you put the cart before the horse if you focus all your energy, attention and resources on recruiting those who can only fix a problem before you identify and employ those who are qualified to establish, communicate and implement an integrated security plan and assemble a skilled team (that includes warriors, by the way).

It’s a matter of preventing potential problems while discovering and mitigating exiting ones. Continuous monitoring is the highly important middle ground. It is not a good thing when two out of three breaches are discovered by outside parties.

So, how do you find a well-balanced information security professional?

In your interview process, you need to gain a solid understanding of:

• What the candidate really wants to be doing, what they are capable of doing, and if they can back up their claims of being able to do what they say they can do
• Whether they can do what you want them to do
• How much experience they have
• Their character and whether they are ethical

Some of the best resources for finding these people are:

• Recruiting agencies known for placing quality candidates in this field
• Professional organizations –like (ISC)2– that have online career sites and hold networking events such as career fairs/clinics
• HR personnel who have a solid grasp of what you need and can produce an effective (and sexy) advertisement that utilizes the right type of filters
• Technical schools and job fairs
• “Word of mouth”

I, for one, am glad to see an increased appreciation for information security professionals with a complete skill set and a focus on monitoring for the sake of prevention. Certainly, those who truly know security appear to be leaning in this direction and seem to be tipping the scales of debate toward the need to seek out the well-balanced professional who can be further trained to perform the deeper technical analyses when they need to.

W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former Chief Information Officer of the U.S. Department of Interior and recipient of the President’s Distinguished Rank Award.